vfs: prevent stack overflow in recursive readdir on circular symlinks

MemoryProvider#readdirSync with `recursive: true` follows symlinks to
directories during traversal. The traversal was recursive and unbounded,
so a circular symlink caused unbounded recursion in the internal walk()
helper until the call stack was exhausted, crashing the process with
`RangeError: Maximum call stack size exceeded`. Both the synchronous and
promise-based variants were affected.

Rewrite the traversal to be iterative, using an explicit queue instead
of recursion so deeply nested trees can no longer exhaust the call
stack.
Each queued directory carries the number of symlink hops taken to reach
it; a directory reached by following a symlink is not enqueued once that
count would exceed kMaxSymlinkDepth, mirroring the ELOOP guard in
#lookupEntry and the real filesystem, which follows directory symlinks
until the OS symlink limit is reached. Entries are still listed, so
non-circular symlinks continue to be followed as before.

Fixes: #64148
Signed-off-by: AkshatOP <hunterdevil0987@gmail.com>

Author: AkshatOP

lib/internal/vfs/providers/memory.js

@@ -612,7 +612,20 @@ class MemoryProvider extends VirtualProvider {
   #readdirRecursive(dirEntry, dirPath, withFileTypes) {
     const results = [];
 
-    const walk = (entry, currentPath, relativePath) => {
+    // Traverse iteratively using an explicit queue instead of recursion, so a
+    // deeply nested tree cannot exhaust the call stack. Each queued directory
+    // also carries the number of symlink hops taken to reach it; following a
+    // symlink stops once that count would exceed kMaxSymlinkDepth, so circular
+    // symlinks terminate just as they do on the real filesystem (ELOOP).
+    const queue = [{
+      entry: dirEntry,
+      path: dirPath,
+      relativePath: '',
+      symlinkDepth: 0,
+    }];
+
+    for (let i = 0; i < queue.length; i++) {
+      const { entry, path: currentPath, relativePath, symlinkDepth } = queue[i];
       this.#ensurePopulated(entry, currentPath);
 
       for (const { 0: name, 1: childEntry } of entry.children) {
@@ -634,8 +647,9 @@ class MemoryProvider extends VirtualProvider {
           ArrayPrototypePush(results, childRelative);
         }
 
-        // Follow symlinks to directories for recursive traversal
+        // Follow symlinks to directories for recursive traversal.
         let resolvedChild = childEntry;
+        let childSymlinkDepth = symlinkDepth;
         if (childEntry.isSymbolicLink()) {
           const targetPath = this.#resolveSymlinkTarget(
             pathPosix.join(currentPath, name), childEntry.target,
@@ -644,15 +658,20 @@ class MemoryProvider extends VirtualProvider {
           if (result.entry) {
             resolvedChild = result.entry;
           }
+          childSymlinkDepth = symlinkDepth + 1;
         }
-        if (resolvedChild.isDirectory()) {
-          const childPath = pathPosix.join(currentPath, name);
-          walk(resolvedChild, childPath, childRelative);
+        if (resolvedChild.isDirectory() &&
+            childSymlinkDepth <= kMaxSymlinkDepth) {
+          ArrayPrototypePush(queue, {
+            entry: resolvedChild,
+            path: pathPosix.join(currentPath, name),
+            relativePath: childRelative,
+            symlinkDepth: childSymlinkDepth,
+          });
         }
       }
-    };
+    }
 
-    walk(dirEntry, dirPath, '');
     return results;
   }
 

test/parallel/test-vfs-readdir-symlink-recursive.js

@@ -3,7 +3,7 @@
 
 // Recursive readdir must follow symlinks to directories.
 
-require('../common');
+const common = require('../common');
 const assert = require('assert');
 const vfs = require('node:vfs');
 
@@ -52,3 +52,57 @@ assert.ok(
   assert.ok(dirents.some((d) => d.name === 'sub' && d.isDirectory()));
   assert.ok(dirents.some((d) => d.name === 'lnk' && d.isSymbolicLink()));
 }
+
+// Recursive readdir on circular symlinks must terminate, not overflow the
+// stack. Regression test for https://github.com/nodejs/node/issues/64148
+
+// Self-referential symlink: /dir/loop -> /dir
+{
+  const v = vfs.create();
+  v.mkdirSync('/dir');
+  v.symlinkSync('/dir', '/dir/loop');
+
+  const entries = v.readdirSync('/', { recursive: true });
+  // Terminates, follows the symlink at least one level, stays bounded.
+  assert.ok(entries.includes('dir'));
+  assert.ok(entries.includes('dir/loop'));
+  assert.ok(entries.includes('dir/loop/loop'));
+  assert.ok(entries.length < 100, `unbounded result: ${entries.length}`);
+}
+
+// Mutual circular chain: /a/link_to_b -> /b and /b/link_to_a -> /a
+{
+  const v = vfs.create();
+  v.mkdirSync('/a');
+  v.mkdirSync('/b');
+  v.symlinkSync('/a', '/b/link_to_a');
+  v.symlinkSync('/b', '/a/link_to_b');
+
+  const entries = v.readdirSync('/', { recursive: true });
+  assert.ok(entries.includes('a'));
+  assert.ok(entries.includes('b'));
+  assert.ok(entries.length < 200, `unbounded result: ${entries.length}`);
+}
+
+// withFileTypes:true on a circular symlink must also terminate.
+{
+  const v = vfs.create();
+  v.mkdirSync('/dir');
+  v.symlinkSync('/dir', '/dir/loop');
+
+  const dirents = v.readdirSync('/', { withFileTypes: true, recursive: true });
+  assert.ok(dirents.some((d) => d.name === 'loop' && d.isSymbolicLink()));
+  assert.ok(dirents.length < 100, `unbounded result: ${dirents.length}`);
+}
+
+// Async promises.readdir variant must reject-free terminate as well.
+{
+  const v = vfs.create();
+  v.mkdirSync('/dir');
+  v.symlinkSync('/dir', '/dir/loop');
+
+  v.promises.readdir('/', { recursive: true }).then(common.mustCall((entries) => {
+    assert.ok(entries.includes('dir/loop'));
+    assert.ok(entries.length < 100, `unbounded result: ${entries.length}`);
+  }));
+}